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We believe that 


is a clue evidencing identity of the hacker, because 


6. A n investigation of the breach was cond ucted. This report was prepared 




discovered that passw ord cracking software had been 


installed on our terminal servers by 
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Investigation of Network Security Breach, NMRO — 6/17/2000 
Results of the Investigation 


I believe the Lophtcrack software was used to gain access to NMRO 
administrative passwords. Once the malicious user had access to these 


passwords, they had access 


:o the entire NMRO domain. The hacker logged 


onto me 
mailbox using 

j aomain, as| |ana creaiea an emau 

lusemame/password. The user then gained access 

_ 

emailj retains copies of his email on the Microsoft 


exchange server, a mali cious user would be able to read and access his mail 


This would explain why 
has already been accessed. 

Chronology of Facts 

Saturday 6/17/2000 


are receiving email that 


Contacted by_concerning email security 

6/17/2000. Someone from within or outside the NMRO organization is 

accessi ng and forwarding email from_ 

exchange mailboxes. 
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Monday 6/19/200 


Arrived NMRO at 7:30 am and me t with| 
email security inc ident. 


Ibrieflv concemi ag the 


met witra 


behind closed doors about the incident. 


_[immediately began to investigate the incident. These were our 

finding: 


1. Someone had tampered with Windows NT Users and Groups permissions 
on the NMRO primary domain controller other than the authorized 
network security personnel. 


A user account that was disabled by 
company was enabled. The user was our 


after the individual left the 
[After 


further investigation, several other users and groups have received 
domain administrator privileges not autliorized by the Network 
Administrator Refer to the NMRO Security Update document for further 
reference. 
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_[immediately revoked Admin privileges for all unauthorized 

users and groups and from the NMRO domain controllers and revoked 
remote access privileges to the l ~k s the only 

NMRO employee that has remote access to the NMRO domain. 


3. Focusing our attention on NMRO terminal servers, we discovered 
Lophtcrack 2.5 software (www.10pht.com/ lOphtcrack/) had been 
installed on Terminal Server (Frame 2). This software when placed and 
executed on a Windows NT server will crack all administrative and user 
passwords. A malicious hacker uses this software to gain password 
access in the domain. The Lophtcrack folders were deleted off the 
terminal servers yet the software was not removed properly from the 
ADD/Remove programs options in the Windows NT control Pemel. 
Therefore leaving a trail that the software was loaded on the server. 
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possible. Thank you in advance for your attention to this matter. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 07/19/2000 


_ I I was interviewed telephonically at 

r After being advised of the official i dentity of the 
interviewing agent and the purpose of the interview, I 
provide the following information: 


I is employed by National Me dical Review Offices 
(NMRO) as I ■ ^ ^ ^ examined NMRO' s 

event logs and security logs in an attempt to identify the origin 
of the intrusi ons into NM RO's computer system between April and 
June of 2000. 


responsible for these intrusions. 


could not identify a specific user 


I I access t o NMRO's system was disabled 

after his termination. I I subsequently examined the 

accounts of a number of people who are no longer employed by NMRO. 
Access to these accounts should have been disabled. However, on 
approximately 06/15/2000, I I found that the passwords and 

remote logon capabilities for ap proximate1v six of these accounts 
had been enabled. This included I I account. The majority 

of these had administrative privileges. These accounts would have 
to have been enabled from inside the company. However, it is 
difficult to determine how and when these accounts were enabled. 


There were several instances between the middle of April, 
2000 and June, 2000 when NMRO's system had suspicious outages and 
went d own. The s ystem was down for a total of approximately three 


days. 


suspected that someone was hacking into NMRO's 


system in an attempt to shut it down. 


The affected machine was NMRO's mail server. The 
intruder may have gained access through a program or batch file on 
the server. I I and would have had ample 

opportunity to install such a program on that server. 

LOPHT is a hacker group that does not engage in criminal 
activity. This group create d a program called LOPHTCRACKER that 
crac ks system p asswords. In | 

told I ~1 to run this program on NMRO's system in order to 

test the system. 
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To: NSD Prom: Los ^...geles 

Re: I t Date 07/20/2000 


these accounts had been enabled. This included | 
account. The majority of these had administrative privileges. 
These accounts would have to have been enabled from inside the 
company. However, it is difficult to determine how and when 
these accounts were enabled. 


There were several instances between the middle of 
April, 2000 and June, 2000 when NMRO's system had suspicious 
outages and went down. Th f system wa s down for a total of 
approximately three days. 


_ suspected that someone was 


hacking into NMRO's system in an attempt to shut it down. 

The affected machine was NMRO's mail server. The 
intruder may ha ve gained access through a program or batch file 


on the server. 


and would have had 


ample opportunity to install such a program on that server 

LOPHT is a hacker group that does not engage in 
criminal activity. This group created a progr am called 
LOPHTCRACKER that cracks sy stem passwords . In [ 


Jtold 


] to run this program on 


NMRO's system in order to test the system. 

I of NMRO's servers which are main domain controllers 


are named _ 

addresses for these servers are 
respectively 


The Internet Protocol (IP) 


Given that there has not been a verifiable financial 
loss to NMRO or theft of trade secrets, and because the 
intrusions are not ongoing, writer recommends that case be opened 
and closed. Investigation at Los Angeles complete. 
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